Showing results for 
Search instead for 
Did you mean: 

How to block vpn


Hello everyone,

We have Cisco Catalyst switches and Cisco routers I want to block VPN in my LAN network how do I?

7 Replies 7

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Faizi for an IPSec VPN you'd need to block ESP, UDP/500 and UDP/4500 - the best place for this would probably on your router.


ip access-list extended BLOCK-VPN
deny esp any any
deny udp any any eq 500
deny udp any any eq 4500
permit ip any any
interface gigabitethernet 0/2
description INSIDE Interface
ip access-group BLOCK-VPN in

If you are referring to an SSL/TLS-VPN that's slightly hard as that using TCP/443 and UDP/443, which would block access to most websites that use TLS.

Thank you dear but ASA firewall is best than Cisco Umbrella?

@Faizi ASA is a firewall and Umbrella is primarily DNS/Web filtering solution, but there is a cloud based firewall.

Regardless, you said you had Cisco switches and routers, not ASA or Umbrella. If you had an ASA, then you could block VPNs using the ASA.

Use vpn filter to exclude lan from vpn 


Thank you dear but ASA firewall best than Cisco Umbrella?

a firewall and umbrella have some similarities but they have different purposes. a firewall is meant to monitor and block traffic into and out of your network in simple terms. umbrella is how you filter what websites your users visit via DNS/web as @Rob Ingram said. One is not better than the other in fact depending on your network it would most likely be recommended to use both or devices similar to both. If i am not mistaken a NGFW could also act as a DNS/web filter but it would not hurt to also use Umbrella but there is still some issues with sites that use SSL like various 18+ websites which become slightly harder to block. 

Thank you dear

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers